CVE-2026-45822 | decode-uri-component through 0.4.1 is vulnerable to denial o… | CVSS 6.6 MEDIUM

Description

decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately 33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input.

Metadata

CVE ID: CVE-2026-45822
State: PUBLISHED
Assigner: seal
Reserved: 2026-05-13 12:03 UTC
Published: 2026-06-30 08:05 UTC
Last updated: 2026-06-30 08:05 UTC
Primary CWE: CWE-400
CWE-400 Uncontrolled Resource Consumption
Vendor / Product: SamVerschueren / decode-uri-component
Sources: cve.org · NVD

Severity & Metrics

6.6 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/S:N/AU:Y/R:U/V:D/RE:M/U:Amber

Affected products (1)

Vendor	Product	Platform	Versions
SamVerschueren	decode-uri-component	Linux,macOS,Windows	0.1.0 < 0.5.0

Weakness (CWE)

CWE	Source	Description
CWE-400	cna	CWE-400 Uncontrolled Resource Consumption
CWE-407	cna	CWE-407 Inefficient Algorithmic Complexity

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.6	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/S:N/AU:Y/R:U/V:D/RE:M/U:Amber

References (3)